cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
galaxyus
Level 9
Report Inappropriate Content
Message 1 of 7

Network security platform HA

Hi everyone,

We're deploying 2 6050 appliances in diagram full HA. 2 appliances running HA mode active/active. we have to protect 2 segment. The bypass kit netcessary in this case or not?

hope anyone help.

Gala

6 Replies
cedricr
Level 9
Report Inappropriate Content
Message 2 of 7

Re: Network security platform HA

Hello Gala,

this is up to your needs. M-6050 sensors have no ports with integrated fail-open functionality. So in case of ...

... a failure of one appliance, is the performance of the other device enough for your environment? If not, you need bypass/failopen kits, but you will lose security. Otherwise you will have performance issues and maybe business impact.

... a failure of both appliances, there will be a full interruption of your traffic. If your company can not live with an outage until you fixed the problem? -> You will need the bypass/failopen kits.

You have to decide, if the business impact of the outage is higher then the lose of security.

Greetings,

Cedric

gene33
Level 9
Report Inappropriate Content
Message 3 of 7

Re: Network security platform HA

Here is how we do this:

Sensor A (primary):  No Fail Open Kits.

Sensor B (secondary):  Does have fail open kits installed.

If sensor A goes down, firewalls should notice route is down and failover to secondary route.  If secondary sensor also fails, then the fail open kits should begin operation.

Hope this helps.

msitko
Level 10
Report Inappropriate Content
Message 4 of 7

Re: Network security platform HA

Gene33's setup is typically how I see customers using HA.  That way you force traffic to go through a sensor, regardless of which one is active, and have a way out through the FO kit if both sensors go down.

cedricr
Level 9
Report Inappropriate Content
Message 5 of 7

Re: Network security platform HA

We are using the same setup as Gene33 described. But Gala's setup is active/active which can result in performance issues in case of an outage, as the devices are probably sized to carry half the traffic.

Re: Network security platform HA

gene33,

Based on what I have learned from McAfee documentation ...

If both sensors in the HA pair are active/active with asymmetric routing, and the 'seconday' sensor (the one with fail-open kit) goes down, its fail-open kit goes into bypass mode and this route's traffic is no longer monitored, thus reduced security.

Is this assumption correct?

msitko
Level 10
Report Inappropriate Content
Message 7 of 7

Re: Network security platform HA

That's correct.  If you're sending traffic to both sensors at the same time, and the sensor fails open, then odds are your attached devices will not detect a failure and will still send traffic to the failed open path.  Traffic will still flow through both paths, and the failed open path will not scan traffic.  It may also cause problems if the working sensor does not see the initial connection, but receives other parts of the traffic flow.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community